Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.

Quote:

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre' M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.

Quote:

David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.

Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.

It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java.

Just because you have Java installed on your machine for a certain piece of software doesn't necessarily make you vulnerable.

The vulnerabilities are coming from the web browser, where a web site will try to run bad java code that your browser allows. Simply disable Java in your web browser, or use an older version, and you're safe when you surf the web - despite some other software requiring Java to run.

It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.

Ugh! I didn’t know that! Maybe I’ll stick with CS3.

Quote:

Originally Posted by bbeagle

Just because you have Java installed on your machine for a certain piece of software doesn't necessarily make you vulnerable.

The vulnerabilities are coming from the web browser, where a web site will try to run bad java code that your browser allows. Simply disable Java in your web browser, or use an older version, and you're safe when you surf the web - despite some other software requiring Java to run.

(Note: JavaScript and Java are two different things)

This reassures me, but Adobe having One More Thing I have to keep active on my machine bugs me anyway—and I’ll always be waiting for some exploit that’s not browser-based. I like to keep it simple, Adobe.

The current version of Java 7 allows java code itself to disable the security preferences of the Java sandbox. (It's supposed to ask you 'Can I write files to your c: directory?' but the hack lets the code NOT ask the user these questions, and just go 'yes - I'm allowed').

Basically, the java code now can do anything java can do WITHOUT asking you permission, like create files, rename or delete files and execute anything on your box.

It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.

Yes, but having Java installed does not make it possible for anybody to run it. Your browser can run it and a malicious website could make your browser run Java ... but only if you enable Java in the browser.

Otherwise, only applications can run Java, you thus would need to download an application and run it (which normally will give you a warning about it being the first time to run this particular application). Thus, the worst this Java exploit can do additionally is a privilege escalation if something tricks you into running a downloaded application.